A virtual machine (VM) is a software implementation of a computer that executes programs in a way that is similar to a physical machine. The virtualization technology allows the sharing of the underlying physical hardware resources between different virtual machines, each running its own operating system (as a guest), and a set of applications. Virtualization of computing and networking resources, such as servers, application delivery controllers (ADCs), and load balancers can improve the performance and resource utilizations of datacenters. Further, virtualization of such resources may reduce costs and overhead to the service providers. This can be achieved without compromising the isolation and independence of the physical machines, and the VMs hosted therein.
The isolation and independence of VMs allow creating “tenants” and providing multi-tenancy support in a datacenter. A “tenant” is a group of one more VMs hosted in a physical machine and provisioned to provide services to a particular customer, for example, based on a service-level agreement (SLA). Virtualization further provides a high level of dynamics. For example, VMs can be dynamically created, deleted, powered-on/off, added, or removed from their physical machines. The dynamic characteristics of VMs and virtual environments drive their utilization in network infrastructures (e.g., datacenters, private cloud, public cloud, etc.) which require high scalability. However, such requirements impose a great challenge on existing traditional networks, which are static and suffer from scalability limitations (e.g., flooding and STP).
To efficiently support virtualization technologies and multi-tenancy, virtualized networking architectures or virtual networks are proposed. An approach to build a virtual network is provided by the software defined networking (SDN). The SDN allows building a networking architecture that provides centralized management of network elements rather than a distributed architecture utilized by conventional networks. That is, in a distributed architecture each network element makes a routing decision based on the results of traffic processing and a distributed control mechanism. In contrast, in the SDN, a network element follows networking operations, such as routing decisions received from a central controller. The SDN can be implemented in wide area networks (WANs), local area networks (LANs), the Internet, metropolitan area networks (MANs), internet service provider (ISP) backbones, datacenters, and the like. A SDN-based network element is typically a switch that routes traffic according to the control of the central controller. The SDN may also include “standard” (or traditional) routers, switches, bridges, load balancers, and so on, as well as any virtual instantiations thereof.
In one configuration of a SDN, the central controller communicates with the network elements using an OpenFlow protocol which provides a network abstraction layer for such communication. Specifically, the OpenFlow protocol allows adding programmability to network elements for the purpose of packets-processing operations under the control of the central controller, thereby allowing the central controller to define the traffic handling decisions in the network element. To this end, traffic received by a network element that supports the OpenFlow protocol is processed and routed according to a set of rules defined by the central controller.
One type of virtual network is defined as a SDN based overlay networking architecture which is based on an overlay logical link established over the physical transport network. Overlay logical links are tunneled through the underlying physical networks using dedicated tunnel encapsulation performed by network virtualization edge devices, such as virtual switches and dedicated overlay gateways.
A significant problem facing the Internet community is that on-line businesses and organizations are vulnerable to malicious attacks. Recently, attacks have been committed using a wide arsenal of attack techniques and tools targeting both the information maintained by the on-line businesses and their IT infrastructure. Hackers and attackers are constantly trying to improve their attacks to cause irrecoverable damage, to overcome currently deployed protection mechanisms, and so on.
One of the common attacks against network infrastructures, such as datacenters and cloud-based infrastructures, includes denial-of-service (DoS) and distributed (DDoS) attacks (commonly referred to hereinafter as DoS attacks). Virtualized networking architectures, or virtual networks, expose some tenants to DoS attacks even when such tenants are not intentionally targeted by the attacker. This is due to the fact that multiple tenants share the same physical machine with a VM which may be targeted for the attack.
A non-limiting example is illustrated in FIG. 4. In a network 400 there are shown, a physical machine 410 (e.g., a physical server) that hosts two VMs: VM 421 and VM 422. A DoS attack directed to VM 421 affects the connectivity to physical machine 410 and/or a network element 401 connected thereto, which thereby can also cause VM 422 to become unavailable. This problem can significantly downgrade the quality of service (QoS) provided to the VMs 421 and 422, and in particular, when the VMs are provisioned with different security service-level agreements (SLAs) to support different tenants.
For example, the VM 422 is provisioned with a security SLA including anti-DoS attack services, while the VM 421 is configured without any security services at all. The VM 421 and VM 422 are allocated to different tenants (customers). When the VM 421 is under DoS attack, the physical machine PM 410 is also affected, and thereby access to both VMs and their respective tenants is denied. While security services are not guaranteed to VM 421, the QoS to VM 422 cannot be guaranteed.
As can be understood from this example, the segregation and isolation of VMs hosted in physical machines connected in virtualized networking architectures are compromised at least during DoS attacks. As a result, organizations and businesses lose revenue due to security-related downtime during instances when the service-level agreement (SLA) cannot be guaranteed to the paying customers.
A simple solution herein can be to provision both VMs with Anti-DoS services, still this solution is not efficient. It would be therefore advantageous to provide an efficient solution that ensures continuous services and the guaranteed security SLA for a group of paying tenants during cyber-attacks, and particularly during DoS attacks.